Guest Frank Martin Posted July 15, 2008 Posted July 15, 2008 I have WindowsXP pro. I first noticed a problem when I was unable to connect to my ISP most of the time, even though the "Windows Task Manager" networking tab, and the graph there, showed a lot of traffic leaving my computer and nothing coming in. Various virus scanners did not fix the problem. I downloaded a "TCPView" and noticed that when the problem occurred, numerous entries of "csrss.exe" occurred and the location of this was in C:\Windows\Config, and there was another file in this folder called "supdate.exe." When I close down the "csrss.exe" file in the TCPView window the problem disappears and my internet connection works OK. However, it always reappears about once a day requiring the same deletion. My ISP has said that during these periods of outward traffic it is all going to "somewhere in California". I have tried renaming the "csrss.exe", but then the computer does not work properly. Can anyone guide me to fix this problem; it has been occurring for several weeks. Regards, Frank Quote
Guest David H. Lipman Posted July 16, 2008 Posted July 16, 2008 From: "Frank Martin" <fm@general.com.au> | I have WindowsXP pro. | I first noticed a problem when I was unable | to connect to my ISP most of the time, even | though the "Windows Task Manager" networking | tab, and the graph there, showed a lot of | traffic leaving my computer and nothing | coming in. | Various virus scanners did not fix the | problem. | I downloaded a "TCPView" and noticed that | when the problem occurred, numerous entries | of "csrss.exe" occurred and the location of | this was in C:\Windows\Config, and there was | another file in this folder called | "supdate.exe." | When I close down the "csrss.exe" file in the | TCPView window the problem disappears and my | internet connection works OK. | However, it always reappears about once a day | requiring the same deletion. My ISP has said | that during these periods of outward traffic | it is all going to "somewhere in California". | I have tried renaming the "csrss.exe", but | then the computer does not work properly. | Can anyone guide me to fix this problem; it | has been occurring for several weeks. | Regards, Frank These are illegitimate.. C:\Windows\Config\csrss.exe C:\Windows\Config\supdate.exe You are indeed infected with malware. You said "Various virus scanners did not fix the problem." What were the anti virus scanners used and did they at least find anything in thos files ? Chances are there are multiple load points for the malware and thus if you delete one, a "helper" will recreate the process. You would have to find the Load Points through software such as AutoRuns and remove the malware from being loaded by the OS as well as kill any running processes and then reboot. You can find out what AV comapny detects them by submitting samples to Virus Total. http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results. The W32/DeleteMP3.worm is known to use; C:\WINDOWS\system32\config\csrss.exe http://vil.nai.com/vil/content/v_142869.htm I don't think you have the above, based upon your description of traffic, you may have a spambot. If you can not help yourself through the above processes, then I suggest guided help through an Expert Forum. 1. Download and execute HiJack This! (HJT) http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe 2. Disable Notepad's word wrap: In Notepad.exe; Format --> uncheck; "Word wrap" 3. Download/run Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe 4. Save the scan results (Main.txt and Extra.txt) 5. And then post the contents of Main.txt and Extra.txt in your post in one of the below expert forums... { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner Logs. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Frank Martin Posted July 16, 2008 Posted July 16, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23Ohd02t5IHA.3420@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "Frank Martin" <fm@general.com.au> > > | I have WindowsXP pro. > > | I first noticed a problem when I was > unable > | to connect to my ISP most of the time, > even > | though the "Windows Task Manager" > networking > | tab, and the graph there, showed a lot of > | traffic leaving my computer and nothing > | coming in. > > | Various virus scanners did not fix the > | problem. > > | I downloaded a "TCPView" and noticed that > | when the problem occurred, numerous > entries > | of "csrss.exe" occurred and the location > of > | this was in C:WindowsConfig, and there > was > | another file in this folder called > | "supdate.exe." > > | When I close down the "csrss.exe" file in > the > | TCPView window the problem disappears and > my > | internet connection works OK. > > | However, it always reappears about once a > day > | requiring the same deletion. My ISP has > said > | that during these periods of outward > traffic > | it is all going to "somewhere in > California". > > | I have tried renaming the "csrss.exe", > but > | then the computer does not work properly. > > | Can anyone guide me to fix this problem; > it > | has been occurring for several weeks. > > | Regards, Frank > > These are illegitimate.. > > C:WindowsConfigcsrss.exe > C:WindowsConfigsupdate.exe > > You are indeed infected with malware. > You said "Various virus scanners did not > fix the problem." > > What were the anti virus scanners used and > did they at least find anything in thos > files ? > > Chances are there are multiple load points > for the malware and thus if you delete one, > a > "helper" will recreate the process. You > would have to find the Load Points through > software such as AutoRuns and remove the > malware from being loaded by the OS as well > as > kill any running processes and then reboot. > > You can find out what AV comapny detects > them by submitting samples to Virus Total. > http://www.virustotal.com/flash/index_en.html > The submission will then be tested against > many different AV vendor's scanners. > That will give you an idea what it is and > who recognizes it. In addition Virus > Total will provide the sample to all > participating vendors. > > You can also submit a suspect, one at a > time, via the following email URL... > mailto:scan@virustotal.com?subject=SCAN > > When you get the report, please post back > the exact results. > > > The W32/DeleteMP3.worm is known to use; > C:WINDOWSsystem32configcsrss.exe > http://vil.nai.com/vil/content/v_142869.htm > > I don't think you have the above, based > upon your description of traffic, you may > have a > spambot. > > If you can not help yourself through the > above processes, then I suggest guided help > through an Expert Forum. > > > > 1. Download and execute HiJack This! (HJT) > http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe > > 2. Disable Notepad's word wrap: > In Notepad.exe; Format --> uncheck; "Word > wrap" > > 3. Download/run Deckard's System Scanner: > http://www.techsupportforum.com/sectools/Deckard/dss.exe > > 4. Save the scan results (Main.txt and > Extra.txt) > > 5. And then post the contents of Main.txt > and Extra.txt in your post in one of the > below > expert forums... > > > { Please - Do NOT post the HJT and > Deckard's System Scanner Logs here ! } > > Forums where you can get expert advice for > HiJack This! (HJT) and Deckard's System > Scanner > Logs. > > NOTE: Registration is REQUIRED in any of > the below before posting a log > > Suggested primary: > http://www.thespykiller.co.uk/index.php?board=3.0 > > Suggested secondary: > http://www.bleepingcomputer.com/forums/forum22.html > http://castlecops.com/forum67.html > http://www.malwarebytes.org/forums/index.php?showforum=7 > > Suggested tertiary: > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.atribune.org/forums/index.php?showforum=9 > http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://forum.networktechs.com/forumdisplay.php?f=130 > http://forums.maddoktor2.com/index.php?showforum=17 > http://www.spywarewarrior.com/viewforum.php?f=5 > http://forums.spywareinfo.com/index.php?showforum=18 > http://forums.techguy.org/f54-s.html > http://forums.tomcoyote.org/index.php?showforum=27 > http://forums.subratam.org/index.php?showforum=7 > http://www.5starsupport.com/ipboard/index.php?showforum=18 > http://aumha.net/viewforum.php?f=30 > http://makephpbb.com/phpbb/viewforum.php?f=2 > http://forums.techguy.org/54-security/ > http://forums.security-central.us/forumdisplay.php?f=13 > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - > http://www.pctipp.ch/downloads/dl/35905.asp</span> Thank you, I am following this through. Quote
Guest Frank Martin Posted July 30, 2008 Posted July 30, 2008 I have been trying to solve this problem for some time, and when I use the Virus checker "F-Secure Internet Checker" this confirms that the files: C:\Windows\Config\csrss.exe C:\Windows\Config\supdate.exe are causing the problem, and this F-Secure renames the files which fixes the problem. Unfortunately, these files are also essential windows files, therefore I ask: Can I copy across the clean and uninfected files from the original WindowsXP pro disks? And how can I do this, and will this fix it. Regards, Frank "Frank Martin" <fm@general.com.au> wrote in message news:O2tbJyw5IHA.2348@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > > "David H. Lipman" > <DLipman~nospam~@Verizon.Net> wrote in > message > news:%23Ohd02t5IHA.3420@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> From: "Frank Martin" <fm@general.com.au> >> >> | I have WindowsXP pro. >> >> | I first noticed a problem when I was >> unable >> | to connect to my ISP most of the time, >> even >> | though the "Windows Task Manager" >> networking >> | tab, and the graph there, showed a lot >> of >> | traffic leaving my computer and nothing >> | coming in. >> >> | Various virus scanners did not fix the >> | problem. >> >> | I downloaded a "TCPView" and noticed >> that >> | when the problem occurred, numerous >> entries >> | of "csrss.exe" occurred and the location >> of >> | this was in C:WindowsConfig, and there >> was >> | another file in this folder called >> | "supdate.exe." >> >> | When I close down the "csrss.exe" file >> in the >> | TCPView window the problem disappears >> and my >> | internet connection works OK. >> >> | However, it always reappears about once >> a day >> | requiring the same deletion. My ISP has >> said >> | that during these periods of outward >> traffic >> | it is all going to "somewhere in >> California". >> >> | I have tried renaming the "csrss.exe", >> but >> | then the computer does not work >> properly. >> >> | Can anyone guide me to fix this problem; >> it >> | has been occurring for several weeks. >> >> | Regards, Frank >> >> These are illegitimate.. >> >> C:WindowsConfigcsrss.exe >> C:WindowsConfigsupdate.exe >> >> You are indeed infected with malware. >> You said "Various virus scanners did not >> fix the problem." >> >> What were the anti virus scanners used and >> did they at least find anything in thos >> files ? >> >> Chances are there are multiple load points >> for the malware and thus if you delete >> one, a >> "helper" will recreate the process. You >> would have to find the Load Points through >> software such as AutoRuns and remove the >> malware from being loaded by the OS as >> well as >> kill any running processes and then >> reboot. >> >> You can find out what AV comapny detects >> them by submitting samples to Virus Total. >> http://www.virustotal.com/flash/index_en.html >> The submission will then be tested against >> many different AV vendor's scanners. >> That will give you an idea what it is and >> who recognizes it. In addition Virus >> Total will provide the sample to all >> participating vendors. >> >> You can also submit a suspect, one at a >> time, via the following email URL... >> mailto:scan@virustotal.com?subject=SCAN >> >> When you get the report, please post back >> the exact results. >> >> >> The W32/DeleteMP3.worm is known to use; >> C:WINDOWSsystem32configcsrss.exe >> http://vil.nai.com/vil/content/v_142869.htm >> >> I don't think you have the above, based >> upon your description of traffic, you may >> have a >> spambot. >> >> If you can not help yourself through the >> above processes, then I suggest guided >> help >> through an Expert Forum. >> >> >> >> 1. Download and execute HiJack This! (HJT) >> http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe >> >> 2. Disable Notepad's word wrap: >> In Notepad.exe; Format --> uncheck; "Word >> wrap" >> >> 3. Download/run Deckard's System Scanner: >> http://www.techsupportforum.com/sectools/Deckard/dss.exe >> >> 4. Save the scan results (Main.txt and >> Extra.txt) >> >> 5. And then post the contents of Main.txt >> and Extra.txt in your post in one of the >> below >> expert forums... >> >> >> { Please - Do NOT post the HJT and >> Deckard's System Scanner Logs here ! } >> >> Forums where you can get expert advice for >> HiJack This! (HJT) and Deckard's System >> Scanner >> Logs. >> >> NOTE: Registration is REQUIRED in any of >> the below before posting a log >> >> Suggested primary: >> http://www.thespykiller.co.uk/index.php?board=3.0 >> >> Suggested secondary: >> http://www.bleepingcomputer.com/forums/forum22.html >> http://castlecops.com/forum67.html >> http://www.malwarebytes.org/forums/index.php?showforum=7 >> >> Suggested tertiary: >> http://www.dslreports.com/forum/cleanup >> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 >> http://www.atribune.org/forums/index.php?showforum=9 >> http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html >> http://gladiator-antivirus.com/forum/index.php?showforum=170 >> http://forum.networktechs.com/forumdisplay.php?f=130 >> http://forums.maddoktor2.com/index.php?showforum=17 >> http://www.spywarewarrior.com/viewforum.php?f=5 >> http://forums.spywareinfo.com/index.php?showforum=18 >> http://forums.techguy.org/f54-s.html >> http://forums.tomcoyote.org/index.php?showforum=27 >> http://forums.subratam.org/index.php?showforum=7 >> http://www.5starsupport.com/ipboard/index.php?showforum=18 >> http://aumha.net/viewforum.php?f=30 >> http://makephpbb.com/phpbb/viewforum.php?f=2 >> http://forums.techguy.org/54-security/ >> http://forums.security-central.us/forumdisplay.php?f=13 >> >> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - >> http://www.pctipp.ch/downloads/dl/35905.asp</span> > > > Thank you, I am following this through. > </span> Quote
Guest David H. Lipman Posted July 30, 2008 Posted July 30, 2008 From: "Frank Martin" <fm@general.com.au> | I have been trying to solve this problem for | some time, and when I use the Virus checker | "F-Secure Internet Checker" this confirms | that the files: | C:\Windows\Config\csrss.exe | C:\Windows\Config\supdate.exe | are causing the problem, and this F-Secure | renames the files which fixes the problem. | Unfortunately, these files are also essential | windows files, therefore I ask: | Can I copy across the clean and uninfected | files from the original WindowsXP pro disks? | And how can I do this, and will this fix it. | Regards, Frank The name csrss.exe may be legitimate bu the file is not. The malware is using the legitimate file name csrss.exe to obfuscate its malicious intent. The legitimate file belongs and execute from; %windir%\system32 Now go post in one of the Expert Forums like I suggested to you two weeks ago. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Frank Martin Posted July 30, 2008 Posted July 30, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uWAV4Qe8IHA.5052@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "Frank Martin" <fm@general.com.au> > > | I have been trying to solve this problem > for > | some time, and when I use the Virus > checker > | "F-Secure Internet Checker" this confirms > | that the files: > > | C:WindowsConfigcsrss.exe > | C:WindowsConfigsupdate.exe > > | are causing the problem, and this > F-Secure > | renames the files which fixes the > problem. > > | Unfortunately, these files are also > essential > | windows files, therefore I ask: > > | Can I copy across the clean and > uninfected > | files from the original WindowsXP pro > disks? > | And how can I do this, and will this fix > it. > > > | Regards, Frank > > > The name csrss.exe may be legitimate bu the > file is not. The malware is using the > legitimate file name csrss.exe to obfuscate > its malicious intent. > > The legitimate file belongs and execute > from; %windir%system32 > > Now go post in one of the Expert Forums > like I suggested to you two weeks ago. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - > http://www.pctipp.ch/downloads/dl/35905.asp > ></span> I have joined "Castlecops" but for the life of me I cannot see where to post a message. There is no area to type into. What button should I push? Frank Quote
Guest Malke Posted July 30, 2008 Posted July 30, 2008 Frank Martin wrote: <span style="color:blue"> > I have joined "Castlecops" but for the life > of me I cannot see where to post a message. > There is no area to type into. What button > should I > push?</span> If Castle Cops doesn't work for you, choose a different place. But do it now; your computer is infected. http://aumha.net/ - Click on the HijackThis forum. Read the announcement and the stickies first . http://www.atribune.org/forums/index.php?showforum=9 http://aumha.net/viewforum.php?f=30 http://www.bleepingcomputer.com/forums/forum22.html http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumd...ay.php?f=25Look http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://spywarewarrior.com/viewforum.php?f=5 http://forums.techguy.org/54-security/ http://forums.tomcoyote.org/ Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest Frank Martin Posted July 30, 2008 Posted July 30, 2008 I tried "aumha.net" but where here is the "HijackThis forum" button on which to click. "Malke" <malke@invalid.invalid> wrote in message news:evvprZk8IHA.4140@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Frank Martin wrote: > ><span style="color:green"> >> I have joined "Castlecops" but for the >> life >> of me I cannot see where to post a >> message. >> There is no area to type into. What >> button >> should I >> push?</span> > > If Castle Cops doesn't work for you, choose > a different place. But do it > now; your computer is infected. > > http://aumha.net/ - Click on the HijackThis > forum. Read the announcement and > the stickies first . > http://www.atribune.org/forums/index.php?showforum=9 > http://aumha.net/viewforum.php?f=30 > http://www.bleepingcomputer.com/forums/forum22.html > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumd...ay.php?f=25Look > http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://spywarewarrior.com/viewforum.php?f=5 > http://forums.techguy.org/54-security/ > http://forums.tomcoyote.org/ > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > FAQ - > http://www.elephantboycomputers.com/#FAQ > </span> Quote
Guest Malke Posted July 31, 2008 Posted July 31, 2008 Frank Martin wrote: <span style="color:blue"> > I tried "aumha.net" but where here is the > "HijackThis forum" button on which to click.</span> Both PA Bear and I gave you links. If you can't get to where you need to, then take the machine to a computer repair shop. I have no idea how to tell someone "click here" in writing. In any case, if you seriously cannot figure out how to post in one of those forums, you shouldn't be working on the computer yourself. I say that not to hurt your feelings but simply as a practical matter. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest Frank Martin Posted July 31, 2008 Posted July 31, 2008 "Malke" <malke@invalid.invalid> wrote in message news:%23yKNrfq8IHA.4928@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Frank Martin wrote: ><span style="color:green"> >> I tried "aumha.net" but where here is the >> "HijackThis forum" button on which to >> click.</span> > > Both PA Bear and I gave you links. If you > can't get to where you need to, > then take the machine to a computer repair > shop. I have no idea how to tell > someone "click here" in writing. In any > case, if you seriously cannot > figure out how to post in one of those > forums, you shouldn't be working on > the computer yourself. I say that not to > hurt your feelings but simply as a > practical matter. > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > FAQ - > http://www.elephantboycomputers.com/#FAQ</span> Well I did get into the "AumHa" site, and I followed a few posts which gave me a clue how to fix it; see following:-. I have since discovered the problem was caused by a pernicious worm masquerading as csrss.exe in the C:\Windows\Config folder. It was probably a spambot because it was causing so much outflow from my computer that I couldn't get to use the internet at all. I cannot imagine what was being sent out! I got rid of it by running the "HijackThis" software and identifying the registry string that was causing the trouble, and deleting it. Then I deleted csrss.exe and all is well so far. Now I always check the "Windows Task Manager" (networking tab) to observe any activity when I'm not using the internet, and now there is zero activity unless I'm using it. I found the Virus checker "F-Secure" was the only one of many that actually identified the location of the worm; Computer Associates & ZoneAlarm flopped badly. This "F-Secure" actually unzips files to check for malware, although a complete scan takes a long time - like overnight. Regards, Frank Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.